Computer systems are widely used for data processing and many other applications. As used herein, a “computer system” encompasses enterprise, application and personal computer systems, pervasive computer systems such as personal digital assistants, and embedded computer systems that are embedded in another device such as a home appliance that has another primary functionality.
As information technology continues to expand at a dramatic pace, computer systems are subject to larger numbers of security threats and vulnerabilities. System administrators may be overburdened with not only gathering and maintaining information on new vulnerabilities and patches, but may also need to wrestle with the task of determining what patches need to be applied and to what systems. A desire for computer systems to be kept current to known and developing security threats may produce a problem of enormous proportions.
Many vendors and independent developers have sough to create and develop ways in which computer system administrators can find out the current vulnerability status of the their systems. In particular, vendor programs, utilities and locally generated scripts have been provided that can reveal specific information about computer systems. Thus, for example, Microsoft has provided a utility called HFNETCK, created by Shavlik, which scans host systems for missing patches. Moreover, Unix systems have built-in commands that can list operating system and patch level information. Several databases have also been created as repositories of information about computer systems, including IP addresses, operating system vendor version and possibly the latest patches applied.
For example, the Mitre Corporation (Mitre.org) has promulgated Common Vulnerabilities and Exposures (CVE), which anecdotally represent vulnerabilities and exposures using a text string with a chronological identification vector and free-form text. An example CVE is “CVE-2001-0507+free form text”. Moreover, the National Institute of Standards and Technology (NIST) has created an ICAT Metabase, which is a searchable index of information on computer vulnerabilities. Using CVE names, the ICAT Metabase vulnerability indexing service provides a short description of each vulnerability, a list of characteristics of each vulnerability (such as associated attack range and damage potential), a list of the vulnerable software names and version numbers, and links to vulnerability advisory and patch information. See icat.nist.gove/icat.cfm. Also, in the fourth quarter of 2002, Mitre launched the Open Vulnerability Assessment Language (OVAL) initiative, to extend the CVE concept to a common way of vulnerability testing.
The Open Web Application Security Project (owasp.org) is an open source community project that is developing software tools and knowledge-based documentation that helps secure Web applications and Web services. The VulnXML project of OWASP aims to develop an open standard data format for describing Web application security vulnerabilities. The project is focused on Web application security vulnerabilities. It focuses on building http transactions such as specific headers and requests. See the VulnXML Proof of Concept Vision Document, Version 1.1, Jul. 18, 2002.
The Patch Authentication and Dissemination Capability (PADC) project, sponsored by the Federal Computer Incident Response Center (FedCIRC), an office of the General Service Administration, first announced in November, 2002, addresses the more general case of application and operating system vulnerabilities. See, padc.fedcirc.gov.
The OASIS Consortium (oasis-open.org) has announced plans to define a standard method of exchanging information concerning security vulnerabilities within Web services and Web applications. See, OASIS Members Collaborate to Address Security Vulnerabilities for Web Services and Web Applications, RSA Security Conference, 14 Apr. 2003.
The Vulnerability Intelligent Profiling Engine (VIPE) is based on technology by B2Biscom (b2biscom.it). VIPE includes two elements, a product and a service. The product is a combination of an inventory and patch management tool, which has as its major part of a central database containing all known vulnerabilities and patches for a large list of products. Another part of the database is populated with inventory information. A set of scripts has been developed. The service analyzes and correlates inventory with an existing vulnerability encyclopedia, and provides a knowledge-based approach for assessing vulnerabilities against specific supported operating systems.
Citadel Hercules Automated Vulnerability Remediation from Citadel Security Software (citadel.com) provides software that integrates with industry-leading vulnerability assessment tools and provides appropriate remedies for five classes of vulnerabilities, and a console where the administrator can review the vulnerabilities implied and apply the remedy to the correct system on a network. See, Citadel Hercules Automated Vulnerability Remediation Product Brochure, Citadel Security Software, Inc., 2003.
Symantec has an offering that compiles threat management information into a paid service. See, eweekcom/article2/0,4149,1362688,00.asp. DeepSight Alert Services are priced at $5K per year as described in enterprisesecurity.symantec.com/products/products.cfm?ProductID=160. Threat Management Services start at $15K per year, per user as described at enterprisecurity.symantec.com/content/displaypdf.cfm?pdfid=301.
Finally, the “Cassandra” Incident Response Database is a tool sponsored by the CERIAS center of Purdue University that allows a user to create saved profiles of the services and applications running on the user's networks, typical (standard configurations) hosts or important hosts. Cassandra can then notify the user by email of new vulnerabilities relevant to these profiles. See, cassandra.cerias.purdue.edu. Queries (including incremental queries) can also be performed live. However, these results may be missing recently discovered vulnerabilities not yet available from ICAT, and may be missing vulnerabilities that have not been made public. Because the contents are derived from NIST's ICAT servers, CERIAS also offers only a best effort delivery of the contents available from ICAT.
In view of the above, security threat management currently may be a labor-intensive process wherein a computer system's operations staff individually screens security advisories, alerts and Authorized Program Analysis Reports (APARs) to determine their applicability. The operational staff then determines, through research, how to mitigate the threat or apply the remedy using manual techniques.
FIG. 1 is a block diagram illustrating conventional security threat management techniques. As shown in FIG. 1, new computer vulnerabilities and hacking tools are discovered by computer security experts 110 in a variety of roles. Similarly, APARs are provided by vendors 120. The computer vulnerabilities, hacking tools and APARs (often referred to as A3 (Advisories, Alerts, APARs) are typically vetted by appropriate security organizations such as Computer Emergency Response Team (CERT/CC), SysAdmin, Audit, Network and/or Security (SANS) institute personnel 130. Threat and vulnerability information is distributed by these organizations primarily via mailing lists 140 that are subscribed to by computer Security Systems Administration (SSA) staffs 150. Diligent SSAs may subscribe to multiple mailing lists 140, thus often receiving duplicate or potentially inconsistent information. SSAs then perform individual research to determine a course of action and how to carry it out. Commonly, they will use Web resources such as Mitre's CVE listing 160 and/or Oval database 170, and/or NIST's ICAT database 180, to manually collect information for countermeasure application. This may be highly inefficient and costly. Even commercially available vulnerability management products and services may not substantially improve efficiency.